====== Root User Best Practices ======

**What it is:** The recommended security steps for protecting the AWS account root user.

**What it’s for:**
  * Reduce the chance of account takeover.
  * Ensure only authorized people can perform sensitive account-level actions.

**Must-do recommendations (exam essentials):**
  * **Enable [[aws:security:mfa|MFA]] for root user** (strongest protection).
  * **Create a strong password** for root user.
  * **Do NOT create root access keys** for daily use. Use roles/users instead.
  * **Do NOT share root credentials** broadly. Keep root usage extremely limited.
  * **Do NOT email the root password** or store it in insecure places.

**Why these match your question (Select two):**
  * ✅ Enable MFA for the AWS account root user account.
  * ✅ Create a strong password for the AWS account root user.

**Why the other options are bad (quick):**
  * “Encrypt access keys and save on S3” → still risky; don’t rely on storing long-term keys (especially root keys).
  * “Create root access keys and share with owner” → root access keys are dangerous; best practice is to avoid them.
  * “Email username/password” → email is not a secure secret store; increases leakage risk.

**Hard words:**
  * *account takeover* /əˈkaʊnt ˈteɪkˌoʊvər/: chiếm tài khoản
  * *credentials* /krəˈdɛnʃəlz/: thông tin đăng nhập
  * *leakage* /ˈliːkɪdʒ/: rò rỉ
  * *secure* /sɪˈkjʊr/: an toàn

**See also:**
  * [[aws:security:iam|IAM]]
  * [[aws:security:mfa|MFA]]
  * [[aws:security:iam:least-privilege|Least Privilege]]